Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

Configure and Monitor — Trust but Verify

Trust but VerifyBack in the ‘80s, President Reagan said of a missile treaty with the Soviet Union, “Trust, but Verify.”

That phrase is very apt for information security too; especially as it relates to securing data on your internal systems.

You may trust your administrators to “do the right thing,” but the act of verifying your trust in them can also help you identify Advanced Persistent Threats (APTs) lurking in your network!

We’re talking about the security configuration of your systems. Monitoring these configurations is a relatively low cost, low impact security management task you can start doing now. You can do it manually, but it’s much better to automate it. And there are several third-party tools on the market that do a good job of automatically monitoring many aspects of security configuration.

But you don’t need to buy a third-party product to get a good start.

How to Monitor Security Settings with the IBM i Security Toolkit
and Standard IBM Commands

The free IBM i Security Toolkit contains tools that generate a lot of the information you will need. Many of them also show you what has changed since the last time you ran the tool.

Check out go sectools and go secbatch from a command line.  If you aren’t doing any monitoring today, these tools get you a long way down the path of monitoring a large part of the security-related configuration settings.

For all the security-related configuration settings, the general process is the same.

  1. List the current value of the settings or the list of current items as your baseline.
  2. Periodically check the current settings against your baseline list.
  3. Determine the reason for any discrepancies. Discrepancies will probably fall into one of the following categories: intended, explained and unauthorized, or unexplained unauthorized.  Obviously, the ones you need to worry about the most are the unexplained and unauthorized changes. These are the ones that could indicate an attacker has breached your security and is trying to make sure they can easily retain or regain access in the future.
  4. For all approved changes, make sure you update your baseline list appropriately.  Do this as often as you can.

Some commands require you to save your baseline report and manually compare subsequent reports with the saved baseline to identify changes. Others handle the process for you. They create the baseline by running a full report. Then, by subsequently running change reports, they produce reports that contain only the changes from the baseline. The only issue with these is that they produce reports even if they contain no entries. So, you still have to look at the report.

TIP:  If you are a CL or RPG programmer, you can automate the generation of change reports for commands that don’t offer that option. You can also automate the process of checking change reports for entries you need to investigate, and then notifying you if they do.

What to Monitor: System Values

Look at all security-relevant system value settings. (If you don’t know what they are, look in the Security Reference Manual.)  Make a note of their current settings.

The PRTSYSSECA (security toolkit) command will help you by producing a report of the current values of security-related system values and network attributes.

It also has a “recommended value” column.  For configuration and monitoring purposes, ignore it. That’s not to say the recommendations aren’t valid or valuable. The point is that right now you need to get a handle on what your settings are and if they are being changed.

PRTSYSSECA doesn’t cover every possible security-related configuration, but it’s a great start. And what the heck, it’s free!

Periodically print a new report and compare it to the previous one.  If you automate the comparison so that you aren’t bothered when there are no differences, run the report once a day.  If you must manually compare the reports, try to do this at least once a month. The more time between comparison, the less valuable the discrepancy information will be for you.

What to Monitor: Private & Public Authority

Monitor the private and public authority on your sensitive libraries, directories and objects.

IBM provides the PRTPUBAUT and PRTPVTAUT commands as part of the security toolkit.  These commands print reports containing the current public and private authorities for specified libraries and object types.  They have two different report types: Full and Change.

The first time you run the command with a particular set of parameters, use the Full report type. This gets you a list of the current public or private authorities for the items matching your parameters.

Thereafter, run Change reports.  These show only the changes the since the last time you ran the report. Schedule the change reports to run as often as you will have time to check them for changes.

Again, if you are a CL or RPG programmer, automate the process of checking for entries in the change report, and send yourself an email, text, or system message to check the report if changes appear.

Due to the way these commands are implemented, you need to run individual reports against each sensitive library and object type. If you automate checking the change report for entries, it doesn’t really matter how many reports you ultimately generate.

What to Monitor: User Profiles

User profiles are another critical item to monitor.

Attackers need a user profile to access your system. They like to use profiles to which you are not paying attention. If they have the opportunity, they will sometimes create a new profile for their own use. They also like profiles that haven’t been used in a while.

So, when you monitor, look for new profiles, especially those with special authorities.  Also, watch for existing profiles to which special authorities have been added.

The PRTUSRPRF command is a good place to start for monitoring these changes.  You’ll have to automate the comparison of the current report to the previous ones, though.

Get Started!

There are lots of other things you should monitor: new auto-started TCP applications, new programs that adopt high-powered profiles, trigger programs, and more.  Commands exist for lots of these, too.

The ones I have mentioned here, though, certainly provide a good start for your “trust, but verify” activities.

When you’re ready to take the next steps to protect your systems, give me a call. I would be happy to guide you.

 

Facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in IBM i Security, Info Security Mgmt, User Authority and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>